Lecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption

Transcription

1 Lecture 20: & Hybrid Encryption

2 Lecture 20: & Hybrid Encryption

3 Overview Suppose there is a 2-round Key-Agreement protocol. This means that there exists a protocol where Bob sends the first message m B Alice sends the second message m A Now, parties can compute a secret key key that is hidden from an eavesdropper (who got to see the first message by Bob and the second message by Alice) For example, the Diffie-Hellman key-exchange protocol. Bob sends m B = g b, Alice sends m A = g a, and both parties compute the key key = g ab, but it remains hidden from any computationally bounded adversary who sees only A = g a and B = g b. Using this 2-round key-agreement protocol we can construct a public-key encryption scheme. For example, using the Diffie-Hellman key-exchange protocol, we shall construct the ElGamal public-key encryption scheme

4 First Component: 2-round Key-Agreement Protocol I Suppose we have a protocol Π 2 KA, which is a 2-round key-agreement protocol that looks like the following Alice Bob m B m A key k key k Note that Π 2 KA can be any 2-round key-agreement protocol. One such example is the Diffie-Hellman key-agreement protocol. The next slide presents this protocol in this template.

5 First Component: 2-round Key-Agreement Protocol II For example, we consider Π 2 KA to be the Diffie-Hellman key agreement protocol Alice m B = g b m A = g a Bob key k = m a B key k = m b A

6 Second Component: Private-key Encryption I Suppose we have a private-key encryption scheme (Gen, Enc, Dec). Without loss of generality, we can assume that Gen() outputs a uniformly random key sk from a set S. Recall that a private-key encryption scheme looks as follows Gen () sk sk c = Enc sk (m) m = Dec sk (c)

7 Second Component: Private-key Encryption II Consider, for example, the one-time pad encryption scheme Gen () sk sk c = m sk m = c inv(sk)

8 Combining to obtain a Scheme I If the key of the first component is random over the set S (from which the private-key of the second-component is chosen) then we can stick together these two protocols as follows Alice Bob m B m A key k key k Set sk = k c = Enc sk (m) Set sk = k m = Dec sk (c)

9 Combining to obtain a Scheme II We can merge the message m A and c into one-single message. And we get the following scheme. Alice m B Bob key k Set sk = k m A, c = Enc sk (m) key k Set sk = k m = Dec sk (c)

10 Combining to obtain a Scheme III Every time we want to encrypt a message m, we calculate a fresh key k. And we get the following scheme. Alice m B Bob key k Set sk = k m A, c = Enc sk (m) key k Set sk = k m = Dec sk (c)

11 Combining to obtain a Scheme IV Finally, we interpret the message m B as the public-key for Bob. And the messages (m A, c) as the encryption of the message m. This gives us our public-key encryption scheme! Alice pk = m B Bob key k Set sk = k c = (m A, c ), where c = Enc sk (m) key k Set sk = k m = Dec sk (c)

12 Example I Suppose our first component is Diffie-Hellman key-agreement protocol and the second component is one-time pad. Then we get the following public-key encryption scheme. Alice pk = g b Bob key k = g ab Set sk = k c = (m A = g a, c = m g ab ) key k = g ab Set sk = k m = c inv(g ab )

13 Example II This is the ElGamal public-key encryption scheme!

14 Summary: ElGamal Encryption I Let us summarize the ElGamal as an instantiation of 2-round Diffie-Hellman key-agreement protocol and the one-time pad private-key encryption scheme Recall that to describe a private-key encryption scheme we had to provide the algorithms (Gen, Enc, Dec). Similarly, to describe a public-key encryption scheme, we will have to provide the (Gen, Enc, Dec) algorithms Assume that the DDH Assumption holds for the group (G, ) of size N, and the group G has a generator g For perspective, N is large and is in the order of 2 n, where n = Our algorithms have to be polynomial in n and the adversary, to break the scheme, has to invest roughly 2 constant n effort

15 Summary: ElGamal Encryption II Generation Algorithm. Recall that in the private-key encryption scheme the generation algorithm Gen() outputs the secret-key for the encryption scheme. In public-key encryption, the generation algorithm has to output the public-key pk for the scheme. Additionally, it has to output the trapdoor trap that assists the receiver to decrypt the cipher-text. If such a trapdoor does not exist, then Bob gets no additional advantage over an eavesdropper to decrypt the cipher-text. Gen(): 1 Sample b $ {0, 1, 2,..., N 1} 2 B = g b (using repeated squaring technique) 3 Return (pk = B, trap = b) Now, the receiver can broadcast the pk to everyone and keep trap secret with herself to assist in the decryption algorithm

16 Summary: ElGamal Encryption III Encryption Algorithm. Recall that in the private-key encryption scheme the encryption algorithm takes two inputs (the secret-key and the message) Enc sk (m) and outputs the cipher-text. In the public-key encryption, it will take the public-key and the message as input and output the cipher-text. Enc pk (m): 1 Sample a $ {0, 1, 2,..., N 1} 2 A = g a (using repeated squaring technique) 3 mask = pk a (using repeated squaring technique) 4 Return the cipher-text c = (A, m mask) In the ElGamal encryption scheme pk = B. Note that each time the encryption algorithm is invoked, it will create a new random mask. If the same mask is generated in two different invocations of the encryption algorithm, then it must be the case that the same A was generate in those two invocations. That

17 Summary: ElGamal Encryption IV implies that the same a was generate in those two invocations, which has probability 2 n = 2 n/2 by the birthday bound)

18 Summary: ElGamal Encryption V Decryption Algorithm. Recall that in the private-key encryption scheme the decryption algorithm takes two inputs (the secret-key and the cipher-text) Dec sk (c). In the public-key encryption, it will take the cipher-text and the trapdoor generated during the generation procedure as input. Dec trap (Ã, c): 1 mask(ã)trap 2 Return c inv( mask) Recall that trap = b. If à = g a, then mask = g ab.

19 Hybrid Encryption I We will combine any public-key encryption scheme with any private-key encryption scheme to create a new public-key encryption (called, the hybrid-encryption scheme) We emphasize that any public-key encryption scheme can be used. It need not be the ElGamal Scheme. You can choose any encryption scheme that you prefer. The benefit of hybrid-encryption is that it allows us to combine two encryption scheme in a modular fashion. Suppose the public-key encryption scheme is provided by the triplet of algorithms (Gen (pub), Enc (pub), Dec (pub) )

20 Hybrid Encryption II Suppose the private-key encryption scheme is provided by the triplet of algorithms (Gen (priv), Enc (priv), Dec (priv) ) Now, we need to describe the hybrid-encryption scheme algorithms (Gen (hyb), Enc (hyb), Dec (hyb) )

21 Hybrid Encryption III Let us first draw a block-diagram for intuition purpose sk m pk Public-key Encryption Private-key Encryption c 1 c 2 The secret-key sk will be encrypted by the public-key encryption The secret-key sk will be used to encryption the actual message m using the private-key encryption

22 Hybrid Encryption IV Generation Algorithm for Hybrid-Encryption. Gen (hyb) (): 1 Return (pk, trap) = Gen (pub) () The receiver broadcasts pk and keeps trap safe with herself

23 Hybrid Encryption V Encryption Algorithm for Hybrid-Encryption. Enc pk (m): 1 Generate sk = Gen (priv) () 2 Encrypt the secret-key c 1 = Enc (pub) pk (sk) 3 Encrypt the message c 2 = Enc (priv) (m) 4 Return the cipher-test (c 1, c 2 ) sk

24 Hybrid Encryption VI Decryption Algorithm for Hybrid-Encryption. Dec trap ( c 1, c 2 ): 1 Decrypt the secret-key sk = Dec (pub) trap ( c 1 ) 2 Return the decrypted the message m = Dec (priv) ( c 2 ) sk